Request is supposed to be proxied to Realm SOMEREALM. Not doing EAP.
Alan DeKok
aland at deployingradius.com
Wed Sep 10 14:08:42 CEST 2014
Axel Luttgens wrote:
> In fact, I wasn't surprised by those roundtrips, but by the hardcoded behavior of the eap module: to return a noop in that precise case.
The fact that modules have specific return codes is surprising?
Would you expect them to have random return codes? Or to return the
same code no matter what happens?
> After all, it has done "something", by recognizing the request as an EAP one but then taking the decision to not interfere with a subsequent proxy operation; in some sense, it has taken over the request.
> I was thus wondering whether a noop was the most appropriate return code; on the other hand, I had a doubt, because I could also have induced it myself, by some misconfiguration.
If you read the eap module configuration, there is *nothing* which
says "change the return code". So you *cannot* make it return "noop" by
some misconfiguration.
It sounds like you think the modules are magic. They're not.
> Incidentally, may that "# complex DB stuff here" just be an invocation of the sql module? As in:
It can be whatever you want. i.e. things to do when NOT using EAP.
That's sort of what I said.
> It seems to work, but aren't there some side-effects to be expected?
There are no magical side-effects. Pretty much all of the server
behavior is explicit.
> Finally, there's the problem of logging.
> I need to keep some trace of access requests, but wouldn't be really happy to have 10 lines written to the log for each connection attempt...
> Which kind of criterion, if any, could be easily used for writing one line per connection only?
See the post-auth section. That's what it's for. And it's
documented, too.
Alan DeKok.
More information about the Freeradius-Users
mailing list